Login box (embedded in external portals outside IdP)

Paweł Pogoda paw.pogoda at gmail.com
Fri May 9 08:46:45 EDT 2014


I probably find some solution (after few tests seems to work even if user
browser is configured to block third party cookies), but it seems very

I have following page on client1 site (simulate top bar login box):
<form id="ssoForm" action="
https://www.localhostsso.com:8443/remote/remote_login.jsp" method="POST">
<input name="j_username"/>
<input name="j_password"/>
<input type="submit">
When user submit this form data will be posted to custom jsp file hosted on
the same domain as IdP.
Now how remote_login.jsp looks like:
<body style="display: none" onload="onSubmit()">

<script type="text/javascript">
var iframeLoaded = false;
function iframeLoadComplete() {
        // when iframe is loaded, there is login context at IdP
(authentication request was send) - submit form to idp login handler.
iframeLoaded = true;
function onSubmit() {
 if (!iframeLoaded) {
// this will create login cotext (this is real authentication request)
document.getElementById('iframeContainer').innerHTML = '<iframe
style="display: none" src="https://www.localhost.com:8443/group/iag"
onload="iframeLoadComplete()" />';
return false;
} else {
return true;

<div id="iframeContainer"></div>

<form id="ssoForm" action="
https://www.localhostsso.com:8443/idp/j_security_check" method="POST"
onsubmit="return onSubmit();">
<input name="j_username" value="<%= request.getParameter("j_username") %>"/>
<input name="j_password" value="<%= request.getParameter("j_password") %>"/>
<input type="submit">

It's basically very similar to solution which I posted previously, but
right now this jsp is hosted on the same domain as IdP - iframe could store
After IFrame is loaded (SAML authRequest is posted to IdP - login context
created) - I post this page form to IdP login handler. (user/password is
taken from original request parameters)

Now I try to figure out how to handle potential errors (for example invalid
login/password), how to transfer it back to client1 page (probably need to
make some changes to j_security_check)

Best Regards

2014-05-09 8:49 GMT+02:00 Peter Schober <peter.schober at univie.ac.at>:

> * Peter Schober <peter.schober at univie.ac.at> [2014-05-09 08:39]:
> > Now if you want client1 to both ask for the credentials and actually
> > verify those internally you can still create sessions on the IDP
> > using the ExternalAuthn login handler:
> > https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal
> Probably not the way you wanted, though... I guess that method also
> assumes some previous interaction at the IDP (such as a SAML2
> authnRequest or IDP-initated request), otherwise you'd be running into
> the same No Login Context issue?
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140509/4e6f5007/attachment.html 

More information about the users mailing list